(fix): Fixed Microtenant ID attribute for access policies (#385)

* (fix): Fixed Microtenant ID attribute for access policies

* fix: Updated to zscaler-sdk-go v2.1.5

* (doc): Updated changelog and release-notes to v3.0.4

CHANGELOG.md

@@ -1,14 +1,16 @@
 # Changelog
 
-## 3.0.4 (November, xx 2023)
+## 3.0.4 (November, 6 2023)
 
 ### Notes
 
-- Release date: **(November, xx 2023)**
+- Release date: **(November, 6 2023)**
 - Supported Terraform version: **v1.x**
 
 ### Fixes
 
+- [PR #385](/~https://github.com/zscaler/terraform-provider-zpa/pull/385) - Fixed `microtenant_id` attribute for all access policy types.
+  ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method.
 - [PR #383](/~https://github.com/zscaler/terraform-provider-zpa/pull/383) - Fixed issues with hard-coded authentication within the provider block.
 
 ## 3.0.3 (October, 27 2023)

docs/guides/release-notes.md

@@ -16,15 +16,17 @@ Track all ZPA Terraform provider's releases. New resources, features, and bug fi
 
 ---
 
-## 3.0.4 (November, xx 2023)
+## 3.0.4 (November, 6 2023)
 
 ### Notes
 
-- Release date: **(November, xx 2023)**
+- Release date: **(November, 6 2023)**
 - Supported Terraform version: **v1.x**
 
 ### Fixes
 
+- [PR #385](/~https://github.com/zscaler/terraform-provider-zpa/pull/385) - Fixed `microtenant_id` attribute for all access policy types.
+  ⚠️ **WARNING:**: The attribute ``microtenant_id`` is optional and requires the microtenant license and feature flag enabled for the respective tenant. The provider also supports the microtenant ID configuration via the environment variable `ZPA_MICROTENANT_ID` which is the recommended method.
 - [PR #383](/~https://github.com/zscaler/terraform-provider-zpa/pull/383) - Fixed issues with hard-coded authentication within the provider block.
 
 ## 3.0.3 (October, 27 2023)

examples/zpa_lss_config_controller/lss_config_application_segment.tf

@@ -12,7 +12,7 @@ resource "zpa_lss_config_controller" "example" {
   }
   policy_rule_resource {
     name   = "policy_rule_resource-example"
-    action = "ALLOW"
+    action = "LOG"
     conditions {
       negated  = false
       operator = "OR"

examples/zpa_lss_config_controller/lss_config_log_type_user_activity.tf

@@ -82,7 +82,7 @@ resource "zpa_lss_config_controller" "lss_user_activity" {
   }
   policy_rule_resource {
     name          = "policy_rule_resource-lss_user_activity"
-    action        = "ALLOW"
+    action        = "LOG"
     policy_set_id = data.zpa_policy_type.lss_siem_policy.id
     conditions {
       negated  = false

examples/zpa_lss_config_controller/lss_config_log_type_user_status.tf

@@ -42,7 +42,7 @@ resource "zpa_lss_config_controller" "lss_user_activity" {
   }
   policy_rule_resource {
     name          = "policy_rule_resource_lss_user_status"
-    action        = "ALLOW"
+    action        = "LOG"
     policy_set_id = data.zpa_policy_type.lss_siem_policy.id
     conditions {
       negated  = false

examples/zpa_lss_config_controller/lss_config_segment_group.tf

@@ -12,7 +12,7 @@ resource "zpa_lss_config_controller" "example" {
   }
   policy_rule_resource {
     name   = "policy_rule_resource-example"
-    action = "ALLOW"
+    action = "LOG"
     conditions {
       negated  = false
       operator = "OR"

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/hashicorp/terraform-plugin-docs v0.16.0
 	github.com/hashicorp/terraform-plugin-sdk v1.17.2
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0
-	github.com/zscaler/zscaler-sdk-go/v2 v2.1.4
+	github.com/zscaler/zscaler-sdk-go/v2 v2.1.5
 )
 
 require (
@@ -31,7 +31,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/uuid v1.3.1 // indirect
+	github.com/google/uuid v1.4.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect

go.sum

@@ -182,8 +182,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
-github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
+github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -401,8 +401,8 @@ github.com/zclconf/go-cty v1.14.0 h1:/Xrd39K7DXbHzlisFP9c4pHao4yyf+/Ug9LEz+Y/yhc
 github.com/zclconf/go-cty v1.14.0/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
 github.com/zclconf/go-cty-yaml v1.0.2/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
-github.com/zscaler/zscaler-sdk-go/v2 v2.1.4 h1:bL7vAtMozSVGHZq28jXfHnnYmraddZ++Vl6R8GbdPLc=
-github.com/zscaler/zscaler-sdk-go/v2 v2.1.4/go.mod h1:PQscsdJVbmOXn7xqkRz3MdwYrt2UGHg37ZlON77iptg=
+github.com/zscaler/zscaler-sdk-go/v2 v2.1.5 h1:Am2Ef/4LEny0oEFwDZSIVnWDJQhL4M6B1gd0n6s8iMo=
+github.com/zscaler/zscaler-sdk-go/v2 v2.1.5/go.mod h1:FlyAshwzxeaYpqAUGpQ4KLBdjIBKjbTOMKhRwUjD5ck=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

zpa/data_source_zpa_enrollement_cert.go

@@ -101,18 +101,22 @@ func dataSourceEnrollmentCert() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"microtenant_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 	}
 }
 
 func dataSourceEnrollmentCertRead(d *schema.ResourceData, m interface{}) error {
-	zClient := m.(*Client)
+	service := m.(*Client).enrollmentcert.WithMicroTenant(GetString(d.Get("microtenant_id")))
 
 	var resp *enrollmentcert.EnrollmentCert
 	id, ok := d.Get("id").(string)
 	if ok && id != "" {
 		log.Printf("[INFO] Getting data for signing certificate %s\n", id)
-		res, _, err := zClient.enrollmentcert.Get(id)
+		res, _, err := service.Get(id)
 		if err != nil {
 			return err
 		}
@@ -121,7 +125,7 @@ func dataSourceEnrollmentCertRead(d *schema.ResourceData, m interface{}) error {
 	name, ok := d.Get("name").(string)
 	if id == "" && ok && name != "" {
 		log.Printf("[INFO] Getting data for signing certificate name %s\n", name)
-		res, _, err := zClient.enrollmentcert.GetByName(name)
+		res, _, err := service.GetByName(name)
 		if err != nil {
 			return err
 		}
@@ -150,6 +154,7 @@ func dataSourceEnrollmentCertRead(d *schema.ResourceData, m interface{}) error {
 		_ = d.Set("valid_to_in_epoch_sec", resp.ValidToInEpochSec)
 		_ = d.Set("zrsa_encrypted_private_key", resp.ZrsaEncryptedPrivateKey)
 		_ = d.Set("zrsa_encrypted_session_key", resp.ZrsaEncryptedSessionKey)
+		_ = d.Set("microtenant_id", resp.MicrotenantID)
 	} else {
 		return fmt.Errorf("couldn't find any signing certificate with name '%s' or id '%s'", name, id)
 	}

zpa/resource_zpa_policy_access_forwarding_rule.go

@@ -55,7 +55,7 @@ func resourcePolicyForwardingRule() *schema.Resource {
 
 func resourcePolicyForwardingRuleCreate(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
-
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
 	req, err := expandCreatePolicyForwardingRule(d)
 	if err != nil {
 		return err
@@ -65,7 +65,7 @@ func resourcePolicyForwardingRuleCreate(d *schema.ResourceData, m interface{}) e
 	if err := ValidateConditions(req.Conditions, zClient, req.MicroTenantID); err != nil {
 		return err
 	}
-	policysetcontroller, _, err := zClient.policysetcontroller.Create(req)
+	policysetcontroller, _, err := service.Create(req)
 	if err != nil {
 		return err
 	}
@@ -75,14 +75,14 @@ func resourcePolicyForwardingRuleCreate(d *schema.ResourceData, m interface{}) e
 }
 
 func resourcePolicyForwardingRuleRead(d *schema.ResourceData, m interface{}) error {
-	zClient := m.(*Client)
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
 
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("CLIENT_FORWARDING_POLICY")
+	globalPolicySet, _, err := service.GetByPolicyType("CLIENT_FORWARDING_POLICY")
 	if err != nil {
 		return err
 	}
 	log.Printf("[INFO] Getting Policy Set Rule: globalPolicySet:%s id: %s\n", globalPolicySet.ID, d.Id())
-	resp, _, err := zClient.policysetcontroller.GetPolicyRule(globalPolicySet.ID, d.Id())
+	resp, _, err := service.GetPolicyRule(globalPolicySet.ID, d.Id())
 	if err != nil {
 		if obj, ok := err.(*client.ErrorResponse); ok && obj.IsObjectNotFound() {
 			log.Printf("[WARN] Removing policy rule %s from state because it no longer exists in ZPA", d.Id())
@@ -114,7 +114,8 @@ func resourcePolicyForwardingRuleRead(d *schema.ResourceData, m interface{}) err
 
 func resourcePolicyForwardingRuleUpdate(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("CLIENT_FORWARDING_POLICY")
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
+	globalPolicySet, _, err := service.GetByPolicyType("CLIENT_FORWARDING_POLICY")
 	if err != nil {
 		return err
 	}
@@ -125,33 +126,33 @@ func resourcePolicyForwardingRuleUpdate(d *schema.ResourceData, m interface{}) e
 		return err
 	}
 	if err := ValidateConditions(req.Conditions, zClient, req.MicroTenantID); err == nil {
-		if _, _, err := zClient.policysetcontroller.GetPolicyRule(globalPolicySet.ID, ruleID); err != nil {
+		if _, _, err := service.GetPolicyRule(globalPolicySet.ID, ruleID); err != nil {
 			if respErr, ok := err.(*client.ErrorResponse); ok && respErr.IsObjectNotFound() {
 				d.SetId("")
 				return nil
 			}
 		}
 
-		if _, err := zClient.policysetcontroller.Update(globalPolicySet.ID, ruleID, req); err != nil {
+		if _, err := service.Update(globalPolicySet.ID, ruleID, req); err != nil {
 			return err
 		}
 
 		return resourcePolicyForwardingRuleRead(d, m)
 	} else {
-		return err
+		return fmt.Errorf("couldn't validate the zpa policy forwarding (%s) operands, please make sure you are using valid inputs for APP type, LHS & RHS", req.Name)
 	}
 }
 
 func resourcePolicyForwardingRuleDelete(d *schema.ResourceData, m interface{}) error {
-	zClient := m.(*Client)
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("CLIENT_FORWARDING_POLICY")
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
+	globalPolicySet, _, err := service.GetByPolicyType("CLIENT_FORWARDING_POLICY")
 	if err != nil {
 		return err
 	}
 
 	log.Printf("[INFO] Deleting policy forwarding rule with id %v\n", d.Id())
 
-	if _, err := zClient.policysetcontroller.Delete(globalPolicySet.ID, d.Id()); err != nil {
+	if _, err := service.Delete(globalPolicySet.ID, d.Id()); err != nil {
 		return err
 	}
 

zpa/resource_zpa_policy_access_inspection_rule.go

@@ -51,6 +51,7 @@ func resourcePolicyInspectionRule() *schema.Resource {
 
 func resourcePolicyInspectionRuleCreate(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
 
 	req, err := expandCreatePolicyInspectionRule(d)
 	if err != nil {
@@ -59,27 +60,27 @@ func resourcePolicyInspectionRuleCreate(d *schema.ResourceData, m interface{}) e
 	log.Printf("[INFO] Creating zpa policy inspection rule with request\n%+v\n", req)
 
 	if err := ValidateConditions(req.Conditions, zClient, req.MicroTenantID); err == nil {
-		policysetcontroller, _, err := zClient.policysetcontroller.Create(req)
+		policysetcontroller, _, err := service.Create(req)
 		if err != nil {
 			return err
 		}
 		d.SetId(policysetcontroller.ID)
 
 		return resourcePolicyInspectionRuleRead(d, m)
 	} else {
-		return err
+		return fmt.Errorf("couldn't validate the zpa policy inspection (%s) operands, please make sure you are using valid inputs for APP type, LHS & RHS", req.Name)
 	}
 }
 
 func resourcePolicyInspectionRuleRead(d *schema.ResourceData, m interface{}) error {
-	zClient := m.(*Client)
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
 
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("INSPECTION_POLICY")
+	globalPolicySet, _, err := service.GetByPolicyType("INSPECTION_POLICY")
 	if err != nil {
 		return err
 	}
 	log.Printf("[INFO] Getting Policy Set Rule: globalPolicySet:%s id: %s\n", globalPolicySet.ID, d.Id())
-	resp, _, err := zClient.policysetcontroller.GetPolicyRule(globalPolicySet.ID, d.Id())
+	resp, _, err := service.GetPolicyRule(globalPolicySet.ID, d.Id())
 	if err != nil {
 		if obj, ok := err.(*client.ErrorResponse); ok && obj.IsObjectNotFound() {
 			log.Printf("[WARN] Removing policy rule %s from state because it no longer exists in ZPA", d.Id())
@@ -109,7 +110,8 @@ func resourcePolicyInspectionRuleRead(d *schema.ResourceData, m interface{}) err
 
 func resourcePolicyInspectionRuleUpdate(d *schema.ResourceData, m interface{}) error {
 	zClient := m.(*Client)
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("INSPECTION_POLICY")
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
+	globalPolicySet, _, err := service.GetByPolicyType("INSPECTION_POLICY")
 	if err != nil {
 		return err
 	}
@@ -120,33 +122,33 @@ func resourcePolicyInspectionRuleUpdate(d *schema.ResourceData, m interface{}) e
 		return err
 	}
 	if err := ValidateConditions(req.Conditions, zClient, req.MicroTenantID); err == nil {
-		if _, _, err := zClient.policysetcontroller.GetPolicyRule(globalPolicySet.ID, ruleID); err != nil {
+		if _, _, err := service.GetPolicyRule(globalPolicySet.ID, ruleID); err != nil {
 			if respErr, ok := err.(*client.ErrorResponse); ok && respErr.IsObjectNotFound() {
 				d.SetId("")
 				return nil
 			}
 		}
 
-		if _, err := zClient.policysetcontroller.Update(globalPolicySet.ID, ruleID, req); err != nil {
+		if _, err := service.Update(globalPolicySet.ID, ruleID, req); err != nil {
 			return err
 		}
 
 		return resourcePolicyInspectionRuleRead(d, m)
 	} else {
-		return err
+		return fmt.Errorf("couldn't validate the zpa policy inspection (%s) operands, please make sure you are using valid inputs for APP type, LHS & RHS", req.Name)
 	}
 }
 
 func resourcePolicyInspectionRuleDelete(d *schema.ResourceData, m interface{}) error {
-	zClient := m.(*Client)
-	globalPolicySet, _, err := zClient.policysetcontroller.GetByPolicyType("INSPECTION_POLICY")
+	service := m.(*Client).policysetcontroller.WithMicroTenant(GetString(d.Get("microtenant_id")))
+	globalPolicySet, _, err := service.GetByPolicyType("INSPECTION_POLICY")
 	if err != nil {
 		return err
 	}
 
 	log.Printf("[INFO] Deleting policy inspection rule with id %v\n", d.Id())
 
-	if _, err := zClient.policysetcontroller.Delete(globalPolicySet.ID, d.Id()); err != nil {
+	if _, err := service.Delete(globalPolicySet.ID, d.Id()); err != nil {
 		return err
 	}